Website Recon

Other information you can get from the website

Basic Information

SSL Certificates

Check the SSL certificate for more information.

It could contain other subdomains.

whatweb

https://github.com/urbanadventurer/WhatWeb

Run whatweb to gain information about the target

$ whatweb -v -a http://SERVER:PORT

Fuzzing

FFUF

Directory Fuzzing

$ ffuf -w directory_wordlist:FUZZ -u http://SERVER:PORT/FUZZ

Extension Fuzzing

$ ffuf -w extension_wordlist:FUZZ -u http://SERVER:PORT/indexFUZZ

Page Fuzzing

$ ffuf -w content_wordlist:FUZZ -u http://SERVER:PORT/blog/FUZZ.php

Sub-domain Fuzzing

$ ffuf -w subdomain_wordlist:FUZZ -u https://FUZZ.SERVER:PORT/

vHost Fuzzing

$ ffuf -w subdomain_wordlist:FUZZ -u http://SERVER:PORT/ -H 'Host: FUZZ.SERVER:PORT' -fs xxx

Parameter Fuzzing - GET

$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php?FUZZ=key -fs xxx

Parameter Fuzzing - POST

$ ffuf -w param_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

Value Fuzzing - GET

$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php?id=FUZZ -fs xxx

Value Fuzzing - POST

$ ffuf -w value_wordlist:FUZZ -u http://SERVER:PORT/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx

LFI Fuzzing

$ ffuf -w JHADDIX_LFI:FUZZ -u http://SERVER:PORT/admin.php?page=FUZZ -fs xxx

Other tools

$ ./search_censys.py -d victim.com

$ ./dnsrecon.py -d victim.com -t brt -D subdomains-top1mil.txt

Web Screenshots

If you have many URLs to go through, instead of manually visiting them, you can take screenshots of the websites instead for a quick review

$ webscreenshot -i urls.txt